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We  are  providing  this  report  for  review  and  comment.  We  considered  comments 
from  the  Defense  Finance  and  Accounting  Service  when  preparing  the  final  report. 

DoD  Directive  7650.3  requires  that  all  recommendations  be  resolved  promptly. 
The  Defense  Finance  and  Accounting  Service  comments  were  partially  responsive.  We 
request  additional  comments  on  Recommendations  A.I.,  B.2.,  and  C.  Therefore,  we 
request  that  the  Director,  Defense  Finance  and  Accounting  Service  provide  comments  by 
March  19,2008. 

If  possible,  please  send  management  comments  in  electronic  format  (Adobe 
Acrobat  file  only)  to  AudDFS@dodig.mil.  Copies  of  the  management  comments  must 
contain  the  actual  signature  of  the  authorizing  official.  We  cannot  accept  the  /  Signed  / 
symbol  in  place  of  the  actual  signature.  If  you  arrange  to  send  classified  comments 
electronically,  they  must  be  sent  over  the  SECRET  Internet  Protocol  Router  Network 
(SIPRNET). 

We  appreciate  the  courtesies  extended  to  the  staff.  Questions  should  be  directed 
to  Edward  A.  Blair  at  (216)  706-0074  ext.  226  or  Ms.  Cecelia  M.  Ball  at  (816)  926-8501 
ext.  222  (DSN  456-8501).  The  team  members  are  listed  inside  the  back  cover.  See 
Appendix  B  for  the  report  distribution. 

By  direction  of  the  Deputy  Inspector  General  for  Auditing: 
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Defense  Financial  Auditing  Service 
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Managers’  Financial  Integrity  Act,  Federal  Financial 
Management  Improvement  Act,  and  Federal  Information 
Security  Management  Act  Reporting  for  FY  2005 


Executive  Summary 


Who  Should  Read  This  Report  and  Why?  Defense  Finance  and  Accounting  Service 
(DFAS)  Headquarters,  Cleveland,  and  Kansas  City  personnel  responsible  for  the  internal 
control  program  and  Annual  Statement  of  Assurance  reporting;  and  Department  of  Navy 
and  United  States  Marine  Corps  personnel  responsible  for  financial  management  and 
reporting  should  read  this  report.  This  report  contains  recommendations  that  DFAS 
Kansas  City  should  follow  to  ensure  that  effective  internal  controls  are  in  place  to  assess 
and  report  on  its  Management  Control  Program.  The  United  States  Marine  Corps  relies 
on  assurances  made  regarding  the  effectiveness  of  controls  DFAS  Kansas  City  uses  to 
prepare  the  United  States  Marine  Corps  stand-alone  financial  statements.  The  United 
States  Marine  Corps  financial  statements  are  consolidated  into  the  Department  of  Navy 
financial  statements. 

Background.  This  report  provides  an  assessment  of  the  reliability  of  the  DFAS  Kansas 
City  FY  2005  Annual  Statement  of  Assurance  report  on  internal  control  required  by  the 
Federal  Managers’  Financial  Integrity  Act  (FMFIA)  and  Federal  Financial  Management 
Improvement  Act  (FFMIA).  In  addition,  this  report  provides  an  assessment  of  DFAS 
Federal  Infonnation  Security  Management  Act  (FISMA)  reporting  on  its  security 
program.  DFAS  Kansas  City  is  responsible  for  reporting  the  United  States  Marine  Corps 
financial  statement  data  to  the  Department  of  the  Navy.  This  report  discusses  how  DFAS 
Kansas  City  implemented  policies  and  procedures  governing  internal  controls  over 
financial  data. 

Results.  DFAS  Kansas  City  did  not  have  adequate  processes  in  place  to  determine 
whether  material  internal  control  weaknesses  existed  and  were  included  in  the  FMFIA, 
FFMIA,  and  FISMA  annual  reports  as  required.  Specifically,  DFAS  Kansas  City  did  not 
have  an  adequate  management  control  program  (finding  A),  did  not  comply  with 
financial  management  system  control  reporting  requirements  (finding  B),  and  submitted 
incomplete  information  for  Federal  Infonnation  Security  Management  Act  reporting 
(finding  C).  Without  adequate  processes  in  place,  DFAS  Kansas  City  and  the  United 
States  Marine  Corps  cannot  ensure  an  effective  control  environment  for  producing 
accurate  and  timely  financial  information.  DFAS  Kansas  City  must  address  these 
vulnerabilities  as  required  by  Federal  and  DoD  criteria  outlined  in  the  report.  See  the 
Findings  section  of  the  report  for  the  detailed  recommendations. 

Management  Comments  and  Audit  Response. 

The  Director,  DFAS  Kansas  City  nonconcurred  with  all  recommendations.  He  included 
in  his  comments  that  the  Chief  Information  Officer,  Defense  Finance  and  Accounting 
Service  also  nonconcurred  with  the  recommendations.  Although  the  Director,  DFAS 


Kansas  City  nonconcurred,  we  identified  some  corrective  actions  that  we  consider 
responsive  to  the  intent  of  the  recommendations.  These  actions  were  responsive  and 
further  comments  are  not  required.  We  revised  and  redirected  other  recommendations  to 
the  Director,  DFAS  because  comments  were  not  responsive. 

We  request  that  the  Director,  DFAS  comment  on  the  final  report  by  March  19,  2008.  See 
the  Findings  section  of  the  report  for  a  discussion  of  management  comments  and  the 
Management  Comments  section  of  the  report  for  the  complete  text  of  the  comments. 
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Background 


The  Defense  Finance  and  Accounting  Service  (DFAS)  Kansas  City  is  responsible 
for  reporting  the  United  States  Marine  Corps  (USMC)  financial  statement  data  to 
the  Department  of  the  Navy.  This  financial  statement  data  is  ultimately  included 
in  the  DoD  consolidated  financial  statements.  USMC  relies  on  DFAS  Kansas 
City’s  assurances  regarding  the  controls  used  to  prepare  the  USMC  financial 
reports  and  ultimately  its  financial  statements.  The  DFAS  Kansas  City 
Accounting  Business  Line  provides  controls  and  functional  management 
oversight  of  accounting  services  and  processes  used  to  generate  the  USMC 
financial  statements.  Established  controls  should  reasonably  ensure  that  assets 
are  safeguarded.  In  addition,  these  controls  should  reasonably  ensure  that 
obligations,  revenues,  and  expenditures  are  accounted  for  and  properly  recorded 
to  produce  reliable  financial  reports.  These  disciplined  financial  and  management 
controls  are  essential  in  preventing  potential  fraud,  waste,  and  abuse.  DFAS 
Kansas  City  reports  on  its  internal  control  structure  in  its  Annual  Statement  of 
Assurance  (ASA). 

Management  Control  Reporting.  All  agency  heads  must  evaluate  and  report 
annually  to  the  President  and  Congress  on  their  management  controls  and 
financial  systems  used  to  protect  the  integrity  of  Federal  programs.  This 
reporting  is  required  by  the: 

•  Federal  Managers’  Financial  Integrity  Act  of  1982  (FMFIA), 

•  Federal  Financial  Management  Improvement  Act  of  1996  (FFMIA), 
and 

•  Federal  Infonnation  Security  Management  Act  of  2002  (FISMA). 

FMFIA  Reporting.  In  1982,  Congress  passed  the  FMFIA,1  which  requires 
agencies  to  develop  cost-effective  internal  accounting  and  administrative  controls. 
These  controls  are  intended  to  help  ensure  that  an  agency’s: 

•  obligations  and  costs  are  in  compliance  with  applicable  law; 

•  funds,  property,  and  other  assets  are  safeguarded  against  waste,  loss, 
unauthorized  use,  or  misappropriation;  and 

•  revenues  and  expenditures  applicable  to  agency  operations  are 
properly  recorded  and  accounted  for. 

Section  2  of  the  FMFIA  requires  the  head  of  each  agency  to  evaluate  annually  the 
agency’s  internal  control  and  prepare  an  ASA  indicating  the  effectiveness  of  its 
internal  control.  The  agency  head  must  include  in  its  ASA  any  identified  material 


1  The  key  provisions  of  FMFIA  were  codified  in  section  3512  (c)  and  (d),  title  31,  United  States  Code. 
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weaknesses  in  internal  control  as  well  as  plans  and  schedules  for  correcting  those 
weaknesses. 

Section  4  of  the  FMFIA  requires  that  the  head  of  each  agency  include  a  separate 
report  on  whether  the  agency’s  accounting  system  conforms  to  the  principles, 
standards,  and  related  requirements  prescribed  by  the  Comptroller  General. 

FFMIA  Reporting.  The  FFMIA  is  intended  to  advance  Federal  financial 
management  by  ensuring  that  Federal  financial  management  systems: 

•  can  and  do  provide  reliable,  consistent  disclosure  of  financial  data; 

•  disclose  financial  data  in  a  manner  that  is  uniform  across  the  Federal 
Government  from  year  to  year;  and 

•  comply  with  applicable  Federal  accounting  standards. 

The  FFMIA  is  intended  to  provide  the  basis  for  ongoing  use  of  reliable  financial 
information  in  program  management  and  in  oversight  by  the  President,  Congress, 
and  the  public.  Even  though  there  are  separate  reporting  requirements  for  FFMIA, 
the  FMFIA  requires  that  the  FFMIA  information  be  included  in  Section  4  of  the 
FMFIA  ASA. 

FISMA  Reporting.  FISMA  provides  the  framework  for  securing  the  Federal 
Government’s  infonnation  technology  including  both  unclassified  and  national 
security  systems.  These  systems  include  financial  and  non-financial  systems.  All 
agencies  must  implement  the  requirements  of  FISMA  and  report  annually  to  the 
Office  of  Management  and  Budget  (OMB)  and  Congress  on  the  effectiveness  of 
their  security  programs  based  on  OMB  guidance  and  requirements.  If  the  security 
programs  do  not  fully  comply  with  FISMA  requirements,  these  weaknesses  must 
be  reported  in  the  annual  FMFIA  ASA  and  FFMIA  reports. 

OMB  Guidance.  OMB  Circular  A- 123,  “Management’s  Responsibility  for 
Internal  Control,”  revised  June  21,  1995, 2  provides  guidance  to  Federal  managers 
on  improving  the  accountability  and  effectiveness  of  Federal  programs  and 
operations  by  establishing,  correcting,  and  reporting  on  internal  control. 

OMB  issued  “Revised  Implementation  Guidance  for  the  Federal  Financial 
Management  Improvement  Act,”  on  January  4,  2001.  This  guidance  lists  the 
specific  requirements  of  FFMIA,  as  well  as  factors  to  consider  in  reviewing 
systems  for  compliance.  It  also  provides  guidance  to  agency  heads  developing 
corrective  action  plans  to  bring  an  agency  into  compliance  with  FFMIA. 


2  OMB  Circular  A-123  was  revised  December  21,  2004;  the  revision  was  not  in  effect  until  FY  2006,  but 
agencies  were  encouraged  to  implement  it  in  FY  2005.  The  revision  changed  terminology  from 
“management  controls”  to  “internal  control”  and  added  Appendix  A  to  specifically  address  assessing, 
documenting,  and  reporting  on  the  effectiveness  of  internal  control  over  financial  reporting.  Appendix  A 
was  added  to  strengthen  the  previously  identified  internal  control  reporting  requirements. 


2 


In  addition,  OMB  issued  Memorandum  M-05-15  “FY  2005  Reporting 
Instructions  for  the  Federal  Information  Security  Management  Act  and  Agency 
Privacy  Management,”  on  June  13,  2005.  This  memorandum  provides 
instructions  for  agency  reporting  under  FISMA.  The  agency’s  FISMA 
information  is  submitted  to  OMB. 

Ultimately,  OMB  uses  the  information  to: 

•  help  evaluate  agency-specific  and  Government-wide  security 
perfonnance, 

•  develop  its  annual  security  report  to  Congress, 

•  assist  in  improving  and  maintaining  adequate  agency  security 
perfonnance,  and 

•  develop  the  E-Government  Scorecard  as  part  of  the  President’s 
Management  Agenda. 

DoD  Guidance.  DoD  Instruction  5010.40,  “Management  Control  Program 
Procedures,”  August  28,  1996, 3  is  the  official  document  for  DoD  compliance  with 
the  FMFIA  and  OMB  Circular  A-123.  DoD  Instruction  5010.40  sets  forth  the 
responsibilities  of  the  Under  Secretary  of  Defense  (Comp trailer)/ Chief  Financial 
Officer  with  regard  to  implementing  its  program. 

To  satisfy  the  reporting  requirement  of  FMFIA,  DoD,  using  information  from  the 
DoD  Components,  prepares  an  ASA  to  report  on  whether  the  agency’s  internal 
control  is  effective  and  achieving  the  intended  objectives  in  accordance  with 
established  guidelines  and  standards.  Compliance  with  FMFIA,  FFMIA,  and 
FISMA  reporting  should  be  used  as  an  indicator  that  disciplined  financial  and 
management  controls  are  in  place.  Effective  management  controls  are  intended  to 
prevent  potential  fraud,  waste,  and  abuse. 


Objectives 

The  overall  audit  objective  was  to  assess  the  internal  controls  in  place  for 
reporting  USMC  financial  and  management  data  as  related  to  accounting 
functions  performed  by  DFAS  Kansas  City.  Specifically,  we  determined  whether 
the  processes  for  completing  FY  2005  reports  required  by  the  FMFIA,  FFMIA, 
and  FISMA  were  adequate.  See  Appendix  A  for  a  discussion  of  the  scope  and 
methodology. 


3  Our  review  of  internal  controls  was  done  under  the  auspices  of  DoD  Directive  5010.38,  “Management 
Control  Program,”  August  26,  1996,  and  DoD  Instruction  5010.40,  “Management  Control  Program 
Procedures,”  August  28,  1996.  DoD  Instruction  5010.40,  “Managers’  Internal  Control  Program,”  was 
reissued  on  January  4,  2006.  DoD  Directive  5010.38  has  been  incorporated  into  DoD  Instruction 
5010.40  and  DoD  Directive  5010.38  has  been  cancelled. 
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A.  Adequacy  of  Internal  Control 
Program 

DFAS  Kansas  City  Accounting  Business  Line  personnel  did  not 
adequately  implement  OMB,  DoD,  and  DFAS  guidance  to  comply  with 
FMFIA  requirements.  Specifically,  DFAS  Kansas  City  Accounting 
Business  Line  personnel  did  not: 

•  complete  required  risk  assessments  for  each  functional  area, 

•  properly  identify  management  controls, 

•  determine  whether  all  major  functions  were  included  in  an 
assessable  unit,4  and 

•  provide  control  testing  documentation  supporting  the  FMFIA 
ASA  report. 

FMFIA  requirements  were  not  adequately  implemented  because  DFAS 
Kansas  City  Accounting  Business  Line  personnel  did  not  receive 
appropriate  oversight  and  training.  In  addition,  they  were  not  fully  aware 
of  their  reporting  responsibilities.  As  a  result,  the  processes  used  did  not 
meet  FMFIA  requirements,  and  DFAS  Kansas  City  cannot  ensure  the 
reliability  of  its  FMFIA  ASA. 


Risk  Assessments 


DFAS  Kansas  City  did  not  complete  required  risk  assessments  for  each  functional 
area.  OMB  Circular  A- 123,  “Management  Accountability  and  Control,”  revised 
June  21,  1995;  DoD  Instruction  5010.40,  “Management  Control  Program 
Procedures,”  August  28,  1996;  and  DFAS  Kansas  City  Standard  Operating 
Procedures,  “Federal  Managers’  Financial  Integrity  Act,  Section  2  Management 
Control  Program,”  July  28,  2004,  require  risk  assessments  to  determine  a 
functional  area’s  (assessable  unit’s)  vulnerability  to  waste,  fraud,  loss,  abuse, 
mismanagement,  and  misappropriation.  DFAS  Kansas  City  Management  Control 
Evaluations  identified  risks  as  error  reports,  incomplete  cycles,  and  poor  customer 
service.  However,  OMB  A- 123  states  that  risk  assessments  should  address  the 
potential  effect  on  the  financial  statements  and  the  five  financial  statement 
assertions  of: 

•  existence 

•  completeness 

•  valuation 


4  An  assessable  unit  is  a  function  or  group  of  functions  that  require  a  manager  to  control  resources  within  a 
business  line  or  support  service. 
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•  rights  and  obligations 

•  presentation  and  disclosure. 

Without  DFAS  Kansas  City  identifying  areas  of  risk,  they  cannot  design  or 
institute  controls  to  minimize  that  risk.  DFAS  Kansas  City  personnel  were  not 
properly  trained  and  were  unaware  of  the  requirements.  DFAS  Kansas  City 
provided  FMFIA  reporting  requirements  training  in  April  2006  to  DFAS  Kansas 
City  personnel.  In  addition,  in  September  2006,  the  Office  of  Under  Secretary 
Defense  (Comp trailer)/ Chief  Financial  Officer  provided  training  on  OMB 
Circular  No.  A- 123,  Appendix  A.  However,  this  training  occurred  after  the  2006 
ASA  was  issued,  and  the  training  did  not  incorporate  all  requirements  for  FMFIA 
ASA  reporting.  The  training  only  addressed  the  financial  reporting  requirements, 
not  the  entire  Management  Control  Program.  We  reviewed  the  FY  2006  DFAS 
Kansas  City  ASA  and  supporting  infonnation.  We  determined  DFAS  Kansas 
City  did  not  implement  significant  changes  to  its  risk  assessment  processes  for  FY 
2006. 


Internal  Controls 


DFAS  Kansas  City  personnel  did  not  properly  identify  internal  controls  because 
DFAS  Kansas  City  identified  performance  measures  in  its  Management  Control 
Evaluations.  OMB  Circular  A- 123  defines  internal  controls  as  the  organization, 
policies,  and  procedures  used  to  reasonably  ensure  that: 

•  resources  are  used  consistent  with  the  agency  mission; 

•  programs  and  resources  are  protected  from  waste,  fraud,  and 
mismanagement;  and 

•  reliable  and  timely  information  is  obtained,  maintained,  reported,  and 
used  for  decision  making. 

DFAS  Kansas  City  did  not  define  their  internal  controls  as  required,  but  instead 
identified  perfonnance  measures  as  internal  controls.  For  example,  Field 
Accounting  personnel  stated  that  one  of  their  controls  was  to  use  desktop 
procedures  and  journal  vouchers  to  ensure  timely  preparation  and  delivery  of  the 
monthly  trial  balance  to  Departmental  Accounting.  The  reported  internal  controls 
did  not  indicate  how  those  controls  ensured  the  accuracy  and  reliability  of 
financial  information,  only  that  the  trial  balances  were  delivered  timely.  Upon 
subsequent  review  of  the  FY  2006  DFAS  Kansas  City  ASA  and  supporting 
information,  we  determined  that  DFAS  Kansas  City  did  not  implement  significant 
changes  to  identify  applicable  Managers’  Internal  Controls. 


5 


Assessable  Units 


DFAS  Kansas  City  Accounting  Business  Line  personnel  did  not  determine 
whether  all  major  functions  were  included  in  an  assessable  unit.  DFAS  Kansas 
City  standard  operating  procedures  require  that  flowcharts  be  completed  for  major 
functions  and  processes  to  identify  internal  controls  and  their  locations.  All  major 
functions  and  activities  must  be  included  in  one  or  more  assessable  units. 
Assessable  units  should  be  linked  to  specific  processes  identified  in  the 
flowcharts. 

DFAS  Kansas  City  Accounting  Business  Line  personnel  were  unable  to  provide 
flowcharts  or  other  documentation  to  identify  internal  controls  and  where  the 
controls  reside  in  DFAS  processes  as  required  by  DFAS  regulations.  Because 
DFAS  Kansas  City  could  not  provide  this  documentation  and  DFAS  Kansas  City 
personnel  were  unclear  as  to  their  duties  in  regards  to  FMFIA,  we  have  no 
assurance  that  all  major  functions  were  included  in  an  assessable  unit.  Upon 
subsequent  review  of  the  FY  2006  DFAS  Kansas  City  ASA  and  supporting 
information,  we  determined  that  DFAS  Kansas  City  did  not  implement  significant 
changes  to  ensure  that  all  major  functions  were  included  in  an  assessable  unit. 


Control  Testing  Documentation 


DFAS  Kansas  City  did  not  provide  control  testing  documentation  supporting  its 
FMFIA  ASA.  OMB  Circular  A- 123  requires  that  documentation  for  internal 
controls  and  other  significant  events  must  be  clear  and  readily  available  for 
examination.  In  addition,  DoD  Instruction  5010.40  and  DFAS  Kansas  City 
standard  operating  procedures  require  that  appropriate  documentation  be 
maintained.  Specifically,  DFAS  Kansas  City  standard  operating  procedures 
require  that  a  file  be  maintained  for  supporting  documentation  and  work  papers 
associated  with  each  Management  Control  Evaluation  completed.  Management 
Control  Evaluations  are  used  to  document  the  testing  of  these  internal  controls. 

We  requested  internal  control  documentation  supporting  DFAS  Kansas  City 
Management  Control  Evaluations.  DFAS  Kansas  City  could  not  provide  the 
testing  documentation  as  required  because  they  were  not  fully  aware  of  their 
reporting  responsibilities.  As  a  result,  we  could  not  verify  the  adequacy  of  the 
Manager’s  Annual  Assessable  Unit  Certification  Statement.  Upon  our  subsequent 
review  of  the  FY  2006  DFAS  Kansas  City  ASA  and  supporting  information, 
DFAS  Kansas  City  did  not  implement  significant  changes  to  maintain  testing 
documentation  supporting  the  ASA  report. 


Conclusion 


The  Internal  Control  Program  processes  reviewed  did  not  provide  adequate 
information  to  ensure  accurate  reporting  for  compliance  with  FMFIA.  DFAS 
Kansas  City  personnel  did  not  understand  their  duties  or  follow  prescribed 
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procedures  for  FMFIA  reporting.  This  was  evidenced  by  the  lack  of  risk 
assessments,  improperly  identified  internal  controls,  the  inability  to  determine 
whether  all  major  functions  were  identified  and  included  in  an  assessable  unit, 
and  the  lack  of  control  testing  documentation.  Until  DFAS  Kansas  City  follows 
the  OMB,  DoD,  and  DFAS  policies  and  procedures,  its  FMFIA  ASA  cannot  be 
relied  upon  to  provide  accurate  infonnation  on  the  effectiveness  of  the  internal 
control  environment.  The  ASA  becomes  more  critical  as  the  USMC  moves 
forward  in  obtaining  an  audit  opinion  on  their  stand-alone  financial  statements. 

In  addition,  as  DFAS  Kansas  City  is  scheduled  to  close  as  part  of  the  Base 
Realignment  and  Closure,  the  importance  of  identifying  and  ensuring  that  proper 
controls  are  in  place  becomes  more  critical  as  functions  move  to  other  DFAS 
locations.  For  FY  2006,  DFAS  Kansas  City  did  not  implement  significant 
changes  to  its  ASA  preparation  and  reporting  processes  to  assess  risks,  identify 
applicable  Managers’  Internal  Controls,  ensure  all  major  functions  were  included 
in  an  assessable  unit,  and  maintain  testing  documentation  supporting  the  ASA 
report. 


Management  Comments  on  the  Finding  and  Audit  Response 


Management  Comments  on  Adequacy  of  Internal  Control  Program.  The 

Director,  DFAS  Kansas  City  stated  that  the  processes  reviewed  provided  adequate 
information  to  ensure  accurate  reporting  for  compliance  with  the  FYs  2005  and 
2006  ASAs.  To  improve  the  Section  2  reporting,  DFAS  Kansas  City  sought  to 
strengthen  the  internal  management  control  program  by  providing  training  on 
internal  control  activities  and  implementing  a  new  Internal  Control  Unit  in 
August  2006.  DFAS  Kansas  City  does  not  agree  that  its  internal  control 
processes  could  not  identify  risk  and  could  not  design  or  institute  controls  to 
minimize  risks,  but  does  agree  that  reporting  and  documentation  could  have  been 
improved. 

Audit  Response.  DFAS  Kansas  City  did  provide  training  in  September  2006; 
however,  the  training  did  not  apply  to  the  time  frame  for  this  audit.  The  Director, 
DFAS  Kansas  City  agreed  that  reporting  and  documentation  could  be  improved; 
the  available  documentation  did  not  provide  evidence  that  DFAS  Kansas  City 
internal  control  processes  identified  risks,  designed  controls,  and  established 
controls  to  minimize  risks. 


Recommendations,  Management  Comments,  and  Audit 
Response 


Revised  and  Redirected.  As  a  result  of  management  comments,  we  revised  and 
redirected  Recommendation  A.  1  to  the  Director,  DFAS  to  provide  training 
regarding  internal  control  to  personnel  responsible  for  current  and  future  Marine 
Corps  Accounting  Business  Line  functions. 
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A.l.  We  recommend  that  the  Director,  Defense  Finance  and  Accounting 
Service  provide  training  to  current  and  future  Defense  Finance  and 
Accounting  Service  personnel  responsible  for  the  Marine  Corps  Accounting 
Business  Line  to  ensure  compliance  with  Office  of  Management  and  Budget 
and  Defense  Finance  and  Accounting  Service  policies.  Specifically,  the 
training  should  cover: 

a.  adequate  risk  assessments, 

b.  the  associated  internal  controls  to  ensure  reliability, 

c.  measurable  assessable  units,  and 

d.  procedures  for  maintaining  control  testing  documentation. 

Management  Comments.  The  Director,  DFAS  Kansas  City  nonconcurred.  The 
Director,  DFAS  Kansas  City  stated  that  risk  assessments  were  completed  as  part 
of  the  Management  Control  Assessable  Unit  Matrix  Evaluation  Form, 
documented,  and  signed  in  accordance  with  DFAS  5010. 38-R  (May  2002).  He 
added  that  the  risk  criteria  cited  by  the  DoD  Office  of  the  Inspector  General 
applies  to  the  organizations  responsible  for  reporting  Internal  Controls  over 
Financial  Reporting  (OMB  A- 123  Appendix  A)  not  DFAS  Kansas  City. 

Regarding  the  internal  controls  to  ensure  reliability,  the  Director,  DFAS  Kansas 
City  stated  that  their  review  of  Assessable  Unit  Matrixes  for  FYs  2005  and  2006 
found  that  83%  and  97%  respectively  did  not  use  Performance  Management 
Indicators  as  Key  Controls.  Performance  Management  Indicators  were  identified 
in  addition  to  other  controls  in  those  Assessable  Units  noted  by  the  DoD  Office  of 
the  Inspector  General.  The  Director,  DFAS  Kansas  City  agreed  that  managers  are 
responsible  for  assessing  whether  all  of  their  major  functions  are  included  in  the 
respective  assessable  units.  Although  flowcharts  were  not  required  by  the  DFAS 
5010. 38-R  (May  2002),  DFAS  Kansas  City  standard  operating  procedures  did 
require  flowcharts  but  personnel  did  not  follow  the  procedures.  The  Director, 
DFAS  Kansas  City  also  agreed  that  DFAS  Kansas  City  provided  incomplete  test 
documentation.  He  indicated  that  the  documentation  for  FYs  2005  and  2006  was 
sufficient  to  support  the  FYs  2005  and  2006  ASAs.  He  also  stated  that  DFAS 
Kansas  City  received  positive  feedback  on  its  Fund  Balance  With  Treasury 
processes  from  the  Naval  Audit  Service  in  2006  and  the  Standard  Accounting, 
Budgeting,  and  Reporting  System  received  Joint  Financial  Management 
Improvement  Program  certification  by  an  independent  firm  (July  2005). 

Audit  Response.  The  Director,  DFAS  Kansas  City  comments  were  not 
responsive.  He  did  not  address  the  recommendation,  but  first  focused  on  risk 
assessment  criteria.  Because  DFAS  Kansas  City  supports  financial  reporting  for 
the  USMC,  it  is  important  that  DFAS  provide  training  for  personnel  to  ensure  that 
OMB  A- 123  requirements  are  achieved.  Second,  we  reviewed  the  support  for 
DFAS  Kansas  City’s  percentages;  we  determined  that  35  percent  and  21  percent 
of  the  Assessable  Unit  matrixes  for  FYs  2005  and  2006,  respectively,  were 
Performance  Management  Indicators  (performance  measures).  Performance 
measures  do  not  ensure  the  accuracy  and  reliability  of  financial  information.  In 
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addition,  DFAS  Kansas  City  analysis  included  Assessable  Units  that  were  not 
within  the  scope  of  this  audit.  Third,  because  the  Director,  DFAS  Kansas  City 
agreed  that  standard  operating  procedures  requiring  flowcharts  were  not  followed, 
the  recommendation  should  be  implemented.  Finally,  the  Director,  DFAS  Kansas 
City  agreed  DFAS  Kansas  City  did  not  provide  all  ASA  test  documentation.  In 
the  absence  of  complete  documentation,  we  could  not  verify  that  the  FYs  2005 
and  2006  ASAs  were  fully  supported.  As  part  of  internal  management  control 
procedures,  complete  documentation  must  be  maintained  to  support  the  ASA. 

The  Director,  DFAS  Kansas  City  indicated  that  the  Naval  Audit  Service  and  Joint 
Financial  Management  Improvement  Program  Certification  testing  reports 
reinforced  the  DFAS  Kansas  City  internal  control  environment  to  support  an 
ASA.  However,  the  results  from  this  testing  is  only  part  of  the  entire  internal 
control  program  and  deficiencies  were  identified  in  both  reports.  The  Naval 
Audit  Service  performed  testing  only  on  Fund  Balance  With  Treasury.  The 
Standard  Accounting,  Budgeting,  and  Reporting  System  did  not  pass  testing  for 
Joint  Financial  Management  Improvement  Program  Certification,  completed  by 
an  independent  firm.  The  independent  firm’s  report  did  not  state  that  the 
Standard  Accounting,  Budgeting,  and  Reporting  System  is  Joint  Financial 
Management  Improvement  Program  certified.  According  to  the  independent 
firm’s  report,  the  Standard  Accounting,  Budgeting,  and  Reporting  System  was 
tested  for  only  212  of  the  331  Joint  Financial  Management  Improvement  Program 
requirements.  Of  the  212  Joint  Financial  Management  Improvement  Program 
requirements  tested,  the  Standard  Accounting,  Budgeting,  and  Reporting  System 
failed  to  meet  56  of  those  requirements,  23  of  which  were  critical  requirements 
for  certification.  Over  one  third,  or  115,  requirements  for  feeder  systems  should 
also  be  assessed.  DFAS  must  test  these  feeder  systems  to  know  the  extent  of  their 
financial  systems  compliance  to  FFMIA  to  support  USMC  financial  reporting. 

We  request  that  the  Director,  DFAS  review  and  comment  on  our  recommendation 
to  provide  training  to  personnel  responsible  for  current  and  future  Marine  Corps 
Accounting  Business  Line  functions  to  ensure  compliance  with  OMB  and  DFAS 
policies. 

A.2.  We  recommend  the  Director,  DFAS  Kansas  City  designate 
knowledgeable  personnel  to  lead  and  monitor  the  Defense  Finance  and 
Accounting  Service  Kansas  City  Management  Control  Program. 

Management  Comments.  The  Director,  DFAS  Kansas  City  nonconcurred.  The 
Director,  DFAS  Kansas  City  stated  that  it  has  had,  and  continues  to  have, 
knowledgeable  personnel  to  lead  and  monitor  its  Management  Control  Program. 
DFAS  Kansas  City  established  a  three-person  Management  Control  Team  in 
August  of  2006  to  provide  additional  support  and  capabilities. 

Audit  Response.  Although  the  Director  DFAS  Kansas  City  nonconcurred,  the 
comments  are  responsive.  The  establishment  of  a  Management  Control  Team 
indicates  that  corrective  actions  have  been  implemented  that  would  meet  the 
intent  of  our  recommendation  and  potentially  correct  the  deficiency.  No  further 
comments  are  requested. 
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A.3.  We  recommend  the  Director,  DFAS  Kansas  City  coordinate  with 
Defense  Finance  and  Accounting  Service  Cleveland  to  ensure  that  the 
Defense  Finance  and  Accounting  Service  Kansas  City’s  Management  Control 
Program  effectively  transfers  financial  functions  as  a  result  of  DoD’s  Base 
Realignment  and  Closure. 

Management  Comments.  The  Director,  DFAS  Kansas  City  nonconcurred.  He 
stated  that  the  transfer  of  the  Management  Control  Program  to  DFAS  Cleveland  is 
included  in  the  DFAS  Kansas  City  Base  Realignment  And  Closure  Closing  Plan 
(August  2006).  DFAS  Kansas  City  has  coordinated,  and  will  continue  to 
coordinate,  with  DFAS  Cleveland.  He  added  that  this  recommendation  is  out  of 
scope  for  the  time  frame  of  the  audit. 

Audit  Response.  Although  the  Director,  DFAS  Kansas  City  nonconcurred,  the 
comments  indicate  that  corrective  actions  have  been  taken  because  the  transfer  of 
the  Management  Control  Program  is  addressed  in  the  DFAS  Kansas  City  Base 
Realignment  And  Closure  Closing  Plan,  August  2006.  These  comments  are 
responsive  and  no  further  comments  are  requested. 
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B.  Financial  Management  System 
Controls  Reporting 

DFAS  Headquarters  and  DFAS  Kansas  City  did  not  comply  with  the 
reporting  requirements  of  FFMIA  or  FMFIA  Section  4.  They  did  not 
comply  with  reporting  requirements  because  they  relied  on  DoD  to  report 
financial  management  system  weaknesses  at  the  Department  level.  In 
addition,  they  relied  on  DoD  to  submit  a  remediation  plan  at  the 
Department  level  for  DoD-wide  material  weaknesses.  As  a  result,  DFAS 
Kansas  City  did  not  ensure  that  USMC  financial  management  systems: 

•  were  United  States  Standard  General  Ledger  compliant, 

•  could  provide  accurate  and  timely  information  for 
decision-makers,  and 

•  could  produce  consistent  and  reliable  financial  statements. 

Without  Component-level  reporting,  DoD  cannot  accurately  report  on  its 
financial  systems  as  a  whole. 


FFMIA  and  FMFIA  Section  4  Reporting 


DFAS  Headquarters  and  DFAS  Kansas  City  did  not  comply  with  FFMIA  and 
FMFIA  ASA  Section  4  reporting.  DFAS  Kansas  City  stated  that  the  Business 
Transformation  Agency5  would  report  the  financial  management  system 
weaknesses  because  these  are  DoD-wide  material  weaknesses.  In  addition,  DFAS 
Headquarters  and  DFAS  Kansas  City  relied  on  DoD  to  report  system  weaknesses 
and  the  associated  remediation  plan  at  the  Department  level.  DoD  created  the 
Financial  Improvement  and  Audit  Readiness  Plan  to  address  all  financial 
management  improvement  actions  needed  and  to  serve  as  the  remediation  plan  for 
DoD  financial  management  systems  weaknesses. 

FFMIA  establishes  a  statutory  requirement  for  agency  heads  to  annually  assess 
whether  their: 

•  financial  management  systems  comply  with  Federal  financial  management 
system  requirements, 


5  The  Business  Transformation  Agency  has  been  established  to  a)  ensure  consistency,  consolidation,  and 
coordination  of  DoD  Enterprise-level  business  systems,  and  b)  reduce  redundancies  in  business  systems 
and  overhead  costs. 
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•  financial  management  systems  comply  with  applicable  Federal  accounting 
standards,  and 

•  Standard  General  Ledger  is  at  the  transaction  level. 

Agencies  that  are  not  substantially  compliant  with  these  requirements  must 
develop  remediation  plans  to  achieve  compliance.  In  addition,  financial  system 
weaknesses  identified  under  FFMIA  should  be  reported  in  FMFIA  Section  4  of 
the  ASA. 

DFAS  Headquarters  and  DFAS  Kansas  City  officials  stated  that  financial 
management  system  weaknesses  were  reported  at  the  Department  level;  therefore, 
they  knew  weaknesses  existed  with  information  systems.  Yet,  DFAS 
Headquarters  and  DFAS  Kansas  City  did  not  report  any  weaknesses  in  their 
FFMIA  or  FMFIA  ASA  Section  4  reporting.  The  FY  2005  FMFIA  ASA 
Section  4  reporting  guidance  did  not  address  if  the  Components  were  responsible 
for  reporting  financial  management  system  weaknesses.  The  FY  2006  guidance 
states  that  the  Department  will  not  require  Components  to  identity  or  report 
Section  4  nonconfonnance  weaknesses.  DFAS  Headquarters  and  DFAS  Kansas 
City  did  not  submit  Component-level  information  for  FFMIA  reporting.  It  is 
unclear  whether  the  financial  management  system  weaknesses  identified  at  the 
DoD  level  were  applicable  to  the  DFAS  financial  management  systems.  Whether 
DFAS  can  produce  timely  and  reliable  financial  statements  including  USMC 
financial  statement  information  is  not  readily  evident. 


Management  Comments  on  the  Finding  and  Audit  Response 


Management  Comments  on  Financial  Management  System  Controls 
Reporting.  The  Director,  DFAS  Kansas  City  included  in  his  comments  a 
response  from  the  Chief  Information  Officer,  DFAS.  In  his  response,  the  Chief 
Information  Officer,  DFAS  stated  that  DFAS  Kansas  City  was  in  compliance  with 
the  Office  of  the  Under  Secretary  of  Defense  (Comptroller)  guidelines.  DFAS  did 
not  conduct  FMFIA  process  and  system  compliance  testing  in  FYs  2005  and 
2006.  He  added  that  if  DFAS  had  identified  material  weaknesses  during  its 
financial  management  reviews,  DFAS  would  have  reported  the  weaknesses  in  the 
agency’s  FMFIA  Section  4  report.  The  Chief  Information  Officer,  DFAS  also 
explained  the  system  testing  processes  applicable  to  FY  2007. 

Audit  Response.  We  agree  the  FY  2005  FMFIA  ASA  Section  4  reporting 
guidance  did  not  address  whether  Components  were  responsible  for  reporting 
financial  management  system  weaknesses.  Also,  we  agree  the  FY  2006  guidance 
states  that  the  Department  will  not  require  Components  to  identify  or  report 
Section  4  nonconfonnance  weaknesses.  However,  without  this  information  from 
DFAS,  it  is  unclear  whether  the  financial  management  system  weaknesses 
identified  at  the  DoD  level  were  applicable  to  the  DFAS  financial  management 
systems. 
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Recommendations,  Management  Comments,  and  Audit 
Response 


Redirected.  As  a  result  of  management  comments,  we  redirected 
Recommendation  B.2.  to  the  Director,  DFAS.  DFAS  should  develop  remediation 
plans  to  comply  with  FFMIA  reporting. 

B.l.  We  recommend  the  Director,  Defense  Finance  and  Accounting  Service 
Kansas  City  report  the  financial  management  systems  material  weaknesses 
in  the  Federal  Financial  Management  Improvement  Act  report  and  Federal 
Managers’  Financial  Integrity  Act  Annual  Statement  of  Assurance  Section  4, 
if  applicable,  after  implementing  the  recommendations  from  finding  A. 

Management  Comments.  The  Director,  DFAS  Kansas  City  included  in  his 
comments  a  response  from  the  Chief  Information  Officer,  DFAS.  In  his  response, 
the  Chief  Information  Officer,  DFAS  nonconcurred.  However,  he  agreed  there 
was  no  clear  guidance  for  the  FMFIA  ASA,  Section  4  submission  in  FYs  2005 
and  2006.  Therefore,  DFAS  did  not  submit  any  infonnation  for  the  FMFIA  ASA 
Section  4.  He  stated  that  DFAS  has  established  a  working  group  to  develop  an 
FFMIA  implementation  plan  for  FY  2007  and,  as  demonstrated  in  their  FY  2007 
FMFIA  ASA  Section  4  report,  DFAS  has  developed  a  more  “systematic, 
repeatable,  and  standard”  method  for  collecting  and  evaluating  system 
compliance  across  the  enterprise  that  mitigates  future  issues. 

Audit  Response.  Although  the  Chief  Information  Officer,  DFAS  nonconcurred, 
the  comments  indicate  that  corrective  actions  have  been  taken  in  FY  2007  that 
would  have  corrected  the  deficiencies  identified  in  our  report.  These  comments 
are  responsive  and  no  further  comments  are  requested. 

B.2.  We  recommend  the  Director,  Defense  Finance  and  Accounting  Service 
develop  a  remediation  plan  for  identified  financial  management  system 
material  weaknesses.  If  the  DoD  Financial  Improvement  and  Audit 
Readiness  Plan  is  used  as  the  remediation  plan,  ensure  that  Defense 
Financial  and  Accounting  Service  Kansas  City  specific  remediation  actions 
are  included  in  the  Plan. 

Management  Comments.  The  Director,  DFAS  Kansas  City  included  in  his 
comments  a  response  from  the  Chief  Information  Officer,  DFAS.  In  his  response, 
the  Chief  Information  Officer,  DFAS  nonconcurred.  He  stated  that  DFAS  does 
not  have  a  requirement  to  develop  a  remediation  plan  as  there  are  no  identified 
financial  management  system  material  weaknesses. 

Audit  Response.  The  Chief  Information  Officer,  DFAS  comments  are  not 
responsive.  Based  on  inadequate  testing  for  FYs  2005  and  2006  (finding  A), 
financial  management  system  material  weaknesses  would  not  have  been 
identified.  We  do  not  agree  that  DFAS  does  not  have  financial  management 
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system  material  weaknesses.  Joint  Financial  Management  Improvement  Program 
testing  identified  live  high  priority  requirement  failures.  Identified  material 
weaknesses  would  require  DFAS  to  prepare  a  remediation  plan  to  address  the 
failures.  We  request  that  Director,  DFAS  review  and  comment  on  our 
recommendation  to  develop  remediation  plans  to  comply  with  FFMIA  reporting. 
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C.  FISMA  Reporting 

DFAS  Headquarters  submitted  an  incomplete  FISMA  Report. 
Specifically,  DFAS  Headquarters  did  not: 

•  use  a  complete  list  of  systems, 

•  request  network  and  training  information  from  all  DFAS  sites, 
and 

•  maintain  supporting  documentation  for  the  infonnation 
submitted  in  the  FISMA  report. 

FISMA  reporting  was  incomplete  because  DFAS  Headquarters  did  not 
have  standard  operating  procedures  in  place  for  compiling  and 
documenting  FISMA  reporting  information.  Because  of  the  incomplete 
information  and  lack  of  documentation,  DFAS  Headquarters  could  not 
ensure  they  had  all  the  necessary  information  to  support  FISMA 
requirements,  and  DFAS  Kansas  City  could  not  ensure  that  systems, 
including  USMC  financial  statement  systems,  were  secure. 


Information  System  Inventory 


DFAS  Headquarters  Chief  Information  Office  used  the  IT  Registry6  to  compile 
the  FY  2005  FISMA  systems  infonnation.  The  DFAS  Headquarters  Chief 
Information  Office  should  have  requested  that  each  DFAS  site  submit  systems 
inventory  infonnation  for  the  systems  they  use.  DoD  Office  of  Inspector  General 
and  the  Government  Accountability  Office  (GAO)  have  reported  that  the  IT 
Registry,  which  is  intended  to  be  an  inventory  of  mission-critical  and 
mission-essential  systems,  is  unreliable  and  incomplete.  Additionally,  the  Under 
Secretary  of  Defense  (Comptroller)/Chief  Financial  Officer  has  not  relied  on  the 
IT  Registry  to  develop  its  list  of  systems  to  be  reported  to  Congress  but  has  issued 
separate  data  calls;  therefore,  DFAS  Headquarters  should  have  used  other  sources 
for  FISMA  reporting.  The  FY  2005  FISMA  report  is  not  reliable  because 
incomplete  and  unreliable  system  inventory  information  was  used  to  compile  the 
report.  DFAS  did  not  have  policies  and  procedures  to  explain  which  systems 
were  supposed  to  be  included  in  the  FISMA  report. 


Information  Requested  from  DFAS  Sites 


The  DFAS  Headquarters  Chief  Information  Office  requested  only  training  metrics 
from  DFAS  Kansas  City.  In  contrast,  the  DFAS  Headquarters  Chief  Infonnation 
Office  requested  additional  FISMA  information  pertaining  to  DFAS  network 


6  The  IT  Registry  is  a  database  of  mission-critical  and  mission-essential  information  technology  (IT) 
systems.  This  database  is  maintained  by  the  DoD  Chief  Information  Office. 
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services  from  other  DFAS  sites.  The  DFAS  Headquarters  Chief  Information 
Office  did  not  request  standard  information  at  the  Component  level.  Without  this 
information,  DFAS  cannot  ensure  reliable  system  security  reporting.  Standard 
operating  procedures  would  explain  the  compilation  process  at  the  Component 
level  and  ensure  that  standard  information  is  gathered  at  the  Component  level. 


Maintaining  FISMA  Documentation 


The  DFAS  Headquarters  Chief  Information  Office  did  not  maintain 
documentation  to  support  the  DFAS  FISMA  report.  In  addition,  DFAS  Kansas 
City  did  not  maintain  documentation  to  support  the  information  it  submitted  to  the 
DFAS  Headquarters  Chief  Information  Office  for  the  DFAS  FISMA  report. 

DFAS  did  not  have  policies  and  procedures  that  required  documentation  to  be 
maintained  for  audit  purposes.  In  the  absence  of  these  policies  and  procedures, 
we  were  unable  to  determine  how  the  DFAS  FISMA  reporting  was  completed  and 
whether  the  reported  system  information  was  supported. 


Conclusion 


Although  DFAS  Headquarters  FY  2005  FISMA  report  did  not  identify  any 
material  weaknesses  with  their  IT  systems,  the  report  was  based  on  incomplete 
and  unreliable  data.  DFAS  Headquarters  could  not  ensure  that  they  had  all  the 
necessary  information  to  support  FISMA  requirements  ensuring  security  over  all 
systems.  This  information  should  include  those  systems  used  to  process  USMC 
financial  statement  data.  In  addition,  DFAS  Headquarters  and  DFAS  Kansas  City 
did  not  maintain  supporting  documentation  to  provide  an  audit  trail.  Without  this 
supporting  documentation,  DFAS  Headquarters  was  unable  to  ensure  that  its 
FY  2005  FISMA  report  is  accurate. 


Management  Comments  on  the  Finding  and  Audit  Response 


Management  Comments  on  FISMA  Reporting.  The  Director,  DFAS  Kansas 
City  included  in  his  comments  a  response  from  the  Chief  Information  Officer, 
DFAS.  The  Chief  Information  Officer,  DFAS  disagreed  with  the  finding.  In  his 
response,  he  stated  that  DFAS  processes  in  place  did  provide  an  efficient  means 
for  providing  training  and  collecting  information  to  ensure  accurate  reporting 
compliance  with  the  FYs  2005  and  2006  FISMA  requirements. 

Audit  Response.  DoD  Office  of  Inspector  General  and  the  Government 
Accountability  Office  have  reported  that  the  IT  Registry,  which  is  intended  to  be 
an  inventory  of  mission-critical  and  mission  essential  systems,  is  unreliable  and 
incomplete.  DFAS  used  the  IT  Registry  to  compile  the  FY  2005  FISMA  systems 
information.  Without  a  complete  list  of  major  systems,  DFAS  could  not  ensure  it 
had  all  the  necessary  information  to  support  FISMA  requirements.  In  addition, 
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the  Chief  Information  Officer,  DFAS  did  not  request  standard  information  at  the 
Component  level.  Without  this  information,  DFAS  cannot  ensure  reliable  system 
security  reporting.  DFAS  Kansas  City  did  not  maintain  documentation  to  support 
the  infonnation  it  submitted  to  the  Chief  Infonnation  Officer,  DFAS  for  the 
DFAS  FISMA  report.  Without  this  supporting  documentation,  DFAS  was  unable 
to  ensure  that  its  FY  2005  FISMA  report  was  accurate. 


Recommendations,  Management  Comments,  and  Audit 
Response 


Clarified.  As  a  result  of  management  comments,  we  clarified 
Recommendation  C  specifically  to  the  Director,  DFAS  to  ensure  standard 
operating  procedures  are  used  to  support  the  FISMA  reporting  process. 

C.  We  recommend  Defense  Finance  and  Accounting  Service  Headquarters 
document  and  implement  standard  operating  procedures  for  the  Federal 
Information  Security  Management  Act  reporting  process.  These  standard 
operating  procedures  should  include  a  consistent  method  for  collecting 
information  from  Defense  Financial  and  Accounting  Service  sites  as  well  as 
provide  a  specific  amount  of  time,  a  minimum  of  2  years,  for  maintaining 
supporting  documentation. 

Management  Comments.  The  Director,  DFAS  Kansas  City  included  in  his 
comments  a  response  from  the  Chief  Information  Officer,  DFAS.  In  his  response, 
the  Chief  Information  Officer,  DFAS  nonconcurred.  He  stated  that  DFAS  uses 
the  prescribed  DoD  policies  and  procedures  and  only  augments  them  as  necessary 
to  ensure  accurate  and  reliable  reporting.  To  that  end,  DFAS  has  standard 
operating  procedures  to  ensure  compliance  with,  and  accurate  reporting  in 
accordance  with,  FISMA  policies  and  procedures  that  are  in  compliance  with 
statutory  and  regulatory  guidelines.  The  Chief  Information  Officer,  DFAS  stated 
that  DFAS  revised  the  Chief  Information  Office  policies  published  in  FY  2007 
which  mandate  compliance  with  FISMA,  FFMIA,  and  FMFIA  and  directs  that  all 
DFAS  infonnation  systems  comply  with  established  standards. 

Audit  Response.  The  Chief  Infonnation  Officer,  DFAS  nonconcurred  and  the 
comments  were  not  responsive.  Although  DFAS  stated  that  it  revised  Chief 
Information  Office  policies  in  FY  2007,  the  Chief  Information  Officer  did  not 
adequately  comment  on  identifying  a  complete  list  of  systems  from  all  available 
sources.  In  addition,  the  Chief  Information  Officer  did  not  comment  on 
maintaining  the  support  for  the  infonnation  requested  and  received.  We  request 
that  the  Director,  DFAS  review  and  comment  on  our  recommendation  to 
document  and  implement  standard  operating  procedures  for  the  FISMA  reporting 
process. 
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Appendix  A.  Scope  and  Methodology 


We  conducted  this  audit  from  November  2005  through  July  2007  in  accordance 
with  generally  accepted  government  auditing  standards.  Those  standards  require 
that  we  plan  and  perform  the  audit  to  obtain  sufficient,  appropriate  evidence  to 
provide  a  reasonable  basis  for  our  findings  and  conclusions  based  on  our  audit 
objectives.  We  believe  that  the  evidence  obtained  provides  a  reasonable  basis  for 
our  findings  and  conclusions  based  on  our  audit  objectives. 

We  reviewed  the  Internal  Control  Program  related  to  FMFIA,  FFMIA,  and 
FISMA  reporting  by  DFAS  Kansas  City.  We  limited  our  scope  to  the  DFAS 
Kansas  City  Accounting  Business  Line.  Specifically,  we  reviewed  the  DFAS 
Kansas  City  assessable  units,  control  objectives  and  techniques,  and  testing 
documentation.  We  interviewed  DFAS  Kansas  City  personnel  to  determine  how 
the  assessable  units  were  identified,  what  control  objectives  and  techniques  were 
in  place  during  FY  2005,  and  how  these  internal  controls  were  tested.  We  also 
interviewed  DFAS  Headquarters  personnel  regarding  FFMIA  and  FISMA 
information  that  supported  the  Annual  Statement  of  Assurance.  We  reviewed  the 
Manager’s  Annual  Assessable  Unit  Certification  Statements  and  the  Management 
Control  Evaluations  that  were  completed  for  each  assessable  unit  in  support  of  the 
annual  reporting  requirements.  We  could  not  assess  the  adequacy  of  the 
Manager’s  Annual  Assessable  Unit  Certifications  as  documentation  did  not  exist 
to  support  the  testing  of  the  internal  controls.  We  subsequently  reviewed  the 
FY  2006  DFAS  Kansas  City  ASA  and  supporting  infonnation. 

Use  of  Computer-Processed  Data.  We  did  not  use  computer-processed  data  to 
perform  this  audit. 

Government  Accountability  Office  High-Risk  Area.  The  Government 
Accountability  Office  has  identified  several  high-risk  areas  in  DoD.  This  report 
provides  coverage  of  the  Financial  Management  high-risk  area.  GAO  considered 
DoD  Financial  Management  a  high  risk  because  DoD’s  financial  management 
deficiencies  represent  the  single  largest  obstacle  to  achieving  an  unqualified 
opinion  on  the  U.S.  Government’s  consolidated  financial  statements. 


Prior  Coverage 


No  prior  coverage  has  been  conducted  on  FMFIA,  FFMIA,  and  FISMA  reporting 
on  behalf  of  the  USMC  by  DFAS  Kansas  City  during  the  last  5  years.  However, 
DFAS  Internal  Review  perfonned  a  review  of  the  DFAS’  FMFIA  Program  from 
August  2005  through  September  2005.  Their  review  objective  was  to  determine 
what  actions  DFAS  should  take  to  transform  the  FMFIA  Program  to  comply  with 
OMB  Circular  A- 123  and  its  Appendix  A.  The  review  found  DFAS  infrastructure 
is  not  adequate  to  address  the  newly  required  internal  control  assessment 
methodology  as  required  by  OMB  Circular  A- 123,  revised  December  21,  2004, 
because  (1)  management  has  not  clearly  identified  internal  and  external  risks; 
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(2)  DFAS  needs  to  issue  supplemental  guidance  on  the  revised  OMB 
Circular  A- 123;  and  (3)  no  link  exists  between  the  databases  related  to  internal 
control  tracking,  which  includes  high  risk,  FMFIA,  and  audit. 
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Appendix  B.  Report  Distribution 


Office  of  the  Secretary  of  Defense 

Under  Secretary  of  Defense  for  Acquisition,  Technology,  and  Logistics 
Director,  Acquisition  Resources  and  Analysis 
Under  Secretary  of  Defense  (Comptroller)/Chief  Financial  Officer 
Deputy  Chief  Financial  Officer 
Deputy  Comptroller  (Program/Budget) 

Director,  Program  Analysis  and  Evaluation 
Director,  Defense  Procurement  and  Acquisition  Policy 

Department  of  the  Navy 

Assistant  Secretary  of  the  Navy  (Manpower  and  Reserve  Affairs) 

Naval  Inspector  General 

Auditor  General,  Department  of  the  Navy 

Director,  Office  of  Financial  Operations,  Assistant  Secretary  of  the  Navy,  Financial 
Management  and  Comptroller 

Assistant  Deputy  Commandant  for  Programs  and  Resources  (Fiscal)  United  States 
Marine  Corps 


Other  Defense  Organizations 

Director,  Defense  Finance  and  Accounting  Service 

Chief  Information  Officer,  Defense  Finance  and  Accounting  Service 

Director,  Defense  Finance  and  Accounting  Service  Kansas  City 


Non-Defense  Federal  Organization 

Office  of  Management  and  Budget 
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Congressional  Committees  and  Subcommittees,  Chairman  and 
Ranking  Minority  Member 

Senate  Committee  on  Appropriations 

Senate  Subcommittee  on  Defense,  Committee  on  Appropriation 
Senate  Committee  on  Armed  Services 

Senate  Committee  on  Homeland  Security  and  Governmental  Affairs 
House  Committee  on  Appropriations 

House  Subcommittee  on  Defense,  Committee  on  Appropriations 

House  Committee  on  Anned  Services 

House  Committee  on  Oversight  and  Government  Refonn 

House  Subcommittee  on  Government  Management,  Organization,  and  Procurement, 
Committee  on  Oversight  and  Government  Refonn 
House  Subcommittee  on  National  Security  and  Foreign  Affairs, 

Committee  on  Oversight  and  Government  Reform 
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Defense  Financing  and  Accounting  Service 
Comments 


DEFENSE  FINANCE  AND  ACCOUNTING  SERVICE 

1500  £  95th  STREET 
KANSAS  CITY,  MISSOURI  64197-0001 


AUG  1  5  2007 


DFAS-TB/KC 


MEMORANDUM  FOR  PROGRAM  DIRECTOR.  DEFENSE  FINANCIAL  AUDITING 
SERVICE.  DEPARTMENT  OF  DEFENSE  INSPECTOR 
GENERAL 

SUBJECT:  Management  Comments  to  DpDJG  Diaft  Report  ‘Defense  Finance  and 

Accounting  Seivice  Kansas  City  Federal  Managets’  Financial  Integrity 
Act.  Federal  Financial  Management  Impiovement  Act,  and  Federal 
Information  Security  Management  Act  Reporting  for  FY  2005  Project 
km  mnn<;.nnnnFC-0204.000  dated  Julv  18, 2007 


Attached  are  management  comments  to  Recommendations  A  through  C  of  subject 
audit  report 

Questions  your  staff  may  have  concerning  the  audit  may  be  directed  to 
Mr  Mark  L  Burnett,  DFAS-KC/IB.  commercial  (816)  926-1208  or  DSN  465-1208 


Director.  DFAS  Kansas  City 

Attachments: 

As  stated 


1 

www.dfa9.mii 

Your  Financial  Partner  @  Work 


I  he  Director  Defense  Finance  and  Accounting  Service  Kansas  City  (DFAS-KC)  is 
providing  comments  on  Finding  A  as  follows: 

Finding  A.  Adequacy  of  Internal  Control  Program 

DFAS-  Kansas  City  did  not  adequately  implement  OMB,  DoD,  and  DFAS  guidance  to 
comply  with  FMFIA  requirements.  Specifically,  DFAS  Kansas  City  Accounting 
Business  Line  personnel  did  not: 

•  complete  required  risk  assessments  lor  each  functional  area, 

•  properly  identify  management  controls, 

.  determine  whether  all  major  functions  were  included  in  an  assessable 
unit,  and 

.  provide  control  testing  documentation  supporting  the  FMF1A  ASA  report 

FMF1A  requirements  were  not  adequately  implemented  because  DFAS  Kansas  City 
Accounting  Business  Line  personnel  did  not  receive  appropriate  oversight  and  training 
In  addition,  they  were  not  fully  aware  of  their  reporting  responsibilities  As  a  result,  the 
processes  did  not  meet  FMFIA  requirements,  and  DFAS-KC  cannot  ensure  the  reliability 
of  its  FMFIA  ASA 

Management  Comments  (DFAS-KC):  Non-concur  with  the  finding  as  written 
DIAS-KC  understands  the  importance  of  strong  internal  management  controls  and  takes 
its  function(s)  very  seriously.  DFAS-KC  has  aggressively  pursued  continuous 
improvement  in  our  program  and  its  functions 

DFAS-KC  has  or  is: 

•  Established  Internal. Control  Unit  (Aug  2006)  with  dedicated  knowledgeable 
personnel  that  consists  of  three  full-time  personnel  who  are  dedicated  to  the 
program  and  drive  the  local  deliverables  Prior  to  this,  the  individual  assigned 
was  knowledgeable  of  the  progtam.  its  requirements  and  supported  those 
requirements, 

•  Self-developed  internal  training  from  the  DFAS  regulation  and  has  given  this 
training  to  the  staff,  in  addition  to  one-on  one  training  to  personnel  on  an  as- 
needed  basis 

•  Requested  and  received  on-site  training  from  OSD(C)  personnel  on  the  program 
activities. 
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•  Received  a  favorable  Validation  Report  by  Naval  Audit  Service  on  its  fund 
Balance  with  Treasury  Assertion  Package  (FY  06) 

•  Received  JFMIP  certification  of  SABRS  by  independent  firm  (July  2005) 

Risk  assessments  and  the  identification  of  internal  controls  and  major  functions  were 

performed  in  accordance  with  the  DFAS  Regulation  5010.38-R  in  effect  at  the  time  the 

Audit  was  announced  in  September  2005  We  believe  the  DFAS  Regulation  was  in 

accordance  with  the  OMB-A 1 23  Guidance 

Specifically, 

•  Risk  Assessments  were  completed  as  part  of  the  Management  Control  Assessable 
Unit  Matrix  Evaluation  Form,  documented,  and  signed  in  accordance  with  DFAS 
5010.38-R  (May  2002)  The  May  2002  DFAS-5010  38-R  did  not  require  risks  tied 
to  the  existence,  completeness,  valuation,  rights  and  obligations,  and  presentations 
and  disclosure  The  Regulation  identified  risks  as  “the  waste.  Joss,  unauthorized 
use,  or  misappropriation  due  to  the  nature  of  the  functions  We  believe  that  the 
(May  2002)  DFAS  5010  38-R  Regulation  in  effect  at  the  time  of  audit  is  in 
agreement  with  the  OMB  A- 123  Requirements  for  Section  2  of  the  FMFIA  The 
risk  criteria  cited  by  the  IG  applies  to  the  organizations  responsible  for  reporting 
Internal  Controls  over  Financial  Reporting  (OMB  A-123  Appendix  A)  not  DI-AS- 
KC  Moreover,  separate  risk  assessment  forms  were  not  required  in  addition  to  the 
AAJ  Matrixes 

•  Management  controls  and  functions  were  identified  IAW  (May  2002)  DFAS 
5010  38-R 

Controls.  Our  review  of  Assessable  Unit  Matrixes  for  FY  2005  and  F  Y  2006  found 
that  83%  and  97%  respectively  did  not  use  Performance  Management  Indicators 
(PMI’s)  as  Key  Controls.  PMl's  were  identified  in  addition  to  other  contiols  in 
those  Assessable  Units  noted  by  the  i.G 

.  Assessable  Unit  Functions.  Per  the  regulation,  managers  were  responsible  foi 
making  assessments  as  to  if  all  of  theii  major  functions  were  included  in  the 
respective  assessable  units  Flowcharts  were  not  required  by  the  (May  2002)  DFAS 
5010  38-R  We  do  agree  the  local  SOP  did  require  flowcharts,  but  it  was  not  being 
followed 

•  DFAS-KC  agrees  that  retained  test  documentation  could  not  be  provided  by  all 
areas,  but  this  does  not  support  that  the  documentation  for  FY  2005  and  2006  taken 
as  a  whole  do  not  support  the  FY  2005  and  2006  Annual  Statements  of  Assurance 
This  does  not  support  that  contr  ol  testing  was  not  done,  but  rather  that 
documentation  was  not  available  DFAS-KC  received  positive  feedback  on  its 
FBWf  processes  from  the  NAVAUDSVC  in  2006  In  addition,  SABRS  JFMIP 
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Final  Report 
Reference 


Revised  and 
Redirected, 
Page  7 


Certification  by  an  independent  film  in  July  2005  required  extensive  testing  and 
validation 


Summary: 

DFAS-KC  does  not  agi  ee  that  the  processes  reviewed  did  not  provide^ adequate 
infoimation  to  ensure  accurate  repotting  for  compliance  with  the  2005  and  2006  Annual 
Statements  of  Assurance  DFAS-KC  sought,  on  its  own  initiative,  to  improve  and 
strengthen  the  Internal  Management  Control  Program  in  addition  to  implementing  a  new 
Internal  Control  Unit  in  August  2006  to  imptove  the  Section  2  Reporting 

DFAS-KC  does  not  agree  that  its  internal  controls  processes  could  not  identify  risks  and 
design  or  institute  controls  to  minimize  risk,  but  does  agree  that  repotting  and 
documentation  could  have  been  impioved 

Recommendation  Al:  Provide  training  to  DF  AS-KC  Personnel  to  ensure  compliance 
OMB  and  DFAS  Policies  Specifically,  the  training  should. cover. 


a  adequate  risk  assessments, 

b  the  associated  internal  controls  to  ensure  reliability, 
c  measurable  assessable  units,  and 

d  procedures  foi  maintaining  control  testing  documentation 

Management  Comments:  Non-Concur.  As  slated  in  out  response  to  the  conditions 
above,  DFAS-KC  did  recognize  the  need  for  training  and  conducted  local  training  tn 
April  and  Septembei  2006  DFAS-KC  upgraded  its  program  by  establishing  the  new 
Internal  Control  Unit  (Aug  2006)  with  3  FTE’s  assigned  and  the  resulting  one-on-one 
training  with  managers 

Recommendation  A2:  Designate  knowledgeable  personnel  to  lead  and  monitoi  the 
DFAS-KC  M/C  Program 

Management  Comments:  Non-Concur.  DFAS-KC  has  had,  and  continues  to  have, 
knowledgeable  personnel  to  lead  and  monitor  its  Management  Control  program.  As 
stated  in  our  response  to  the  condition,  DFAS-KC  established  a  three-person 
Management  Control  Team  in  August  of  2006  to  provide  additional  support  and 
capabilities 

Recommendation  A3:  Coordinate  with  DFAS-C-L  to  ensure  DFAS-KC's ^Management 
Control  Program  effectively  transfers  financial  functions  as  a  result  of  DOD  BKAC 


Management  Comments:  Non-Concur  The  transfer  of  the  Management  Control 
Program  to  DFAS-CL  is  included  in  lire  DFAS-KC  BRAC  Closing  Plan  (Aug  2006) 
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DFAS-KC  has  coordinated,  and  will  continue  to  coordinate  with  DF  AS -Cleveland  T  is 
is  accomplished  on  an  on-going  basis  This  recommendation  is  out  of  scope  for  the 
timeframe  of  the  audit 


27 


Finding  B  and  C  are  redirected  to  DFAS  Chief  Information  Office  as  Action  Office 
for  DFAS. 

The  Chief  Information  Office!,  Defense  Finance  and  Accounting  Seivice  (DFAS-CIO)  is 
providing  comments  on  Finding  B  and  C  as  follows. 

Finding  B.  Financial  Management  System  Controls  Reporting 

DFAS  headquarters  and  DFAS  Kansas  City  did  not  comply  with  the  reporting 
requiiements  of  FFMIA  or  FMFIA  Section  4  They  did  not  comply  with  reporting 
requirements  because  they  relied  on  DoD  to  leport  financial  management  system 
weaknesses  at  the  Department  level  in  addition,  they  relied  on  DoD  to  submit  a 
remediation  plan  at  the  Department  level  for  DoD-wide  matenal  weaknesses  As  a  result. 
DFAS  Kansas  City  did  not  ensure  that  USMC  financial  management  systems:  were  US 
Standaid  General  Ledger  compliant;  could  provide  accuiate  and  timely  information  for 
decision-makers,  and  could  produce  consistent  and  reliable  financial  statements 

Management  Comments  (DFAS-CIO):  Non-concur  In  compliance  with  the  Office 
of  the  Under  Secretaiy  of  Defense  (Compnollei)  (OUSD(C_)  guidelmesb  D 
conduct  FMFIA  process  and  system  compliancy  testing  m  FY05  and  FY06  . 

and  in  compliance  with  the  Office  of  the  Under  Secretaiy  of  Defense  (Comptroller) 
(OUSD(C)  guidelines,  DFAS  conducted  systems  testing  and  found  no  matenal 
weaknesses  that  would  adversely  affect  a  reporting  entities  financial  position; at  any  Point 
in  time  As  documented  in  its  FY07  FMFIA  ASA  Section  4  leport,  DFAS  has  made 
significant  progress  in  ensuring  FMFIA  compliancy  DFAS  did  not  find  any  material 
weakness  as  a  result  of  process  reviews  and  testing  and  as  such  does  not  have  any 
material  weaknesses  to  report  fo.  Kansas  City  financial  management  processes '  “ 
svstems  If  DFAS  had  identified  material  weaknesses  dunng  its  financial  mtmagement 
reviews  the  weaknesses  would  be  reported  in  the  Agency’s  FMFIA  Section  4  report 

Rprnmmendation  B1 1  Report  the  financial  management  systems  material  weaknesses 
in  the  FFMFIA  report  and  FMFIA  ASA  Section  4.  if  applicable,  after  implementing 
recommendations  from  finding  A 

Management  Comments:  Non-concur.  DFAS  does  not  have  any  material  weakness  to 
be  reported  in  FFMIA  oi  FMFIA  ASA,  Section  4  In  accordance  with  OUSD(C) 
guidelines  foi  the  FY07  FMFIA  ASA  Section  4  reporting  reqmrement,  DFAS 
documented  its  financial  business  processes  by  customer  In  accordance  with  OUSD(  ) 
guidelines,  it  developed  system  test  scripts  and  conducted  systems  tests  lor  those  syst 
drat  contributed  more  than  85  percent  of  the  financial  transaction  data  ona  given!  meof 
our  customers’  financial  statements  including  those  systems  suppo.tmg  the  Maune  Co.ps 
and  found  no  material  weaknesses.  In  addition,  DFAS  has  established  an  FFMIA 
Working  Group  and  is  moving-forward  with  development  of  an  FFMIA  implementaUon 
plan  in  close  cooperation  with  DFAS  Stiategic  Business  Management  (SBM)  and  oui 
DFAS  customers. 
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DFAS  is  exercising  deliberate  caution  to  be  prudent  in  its  approach  to  minimize 
expenditures  fot  systems  testing  in  response  to  Administration  and  congressional 
concerns  of  wasteful  or  excessive  spending  on  systems  that  are  not  planned  to  be  retained 
as  part  of  the  Department's  system  strategy  led  by  the  Business  Transformation  Agency 
ot  in  cases  where  a  reporting  entity  is  not  ready  for  a  financial  audit 

We  do  agree  there  was  a  lack  of  communications  on  what  should  have  been  reported  in 
the  FMFIA  Report  (Section  4)  However,  there  were  no  clear  guidance/requirements  for 
the  FMFIA  ASA,  Section  4  submission  in  FY05oi  FY06  In  fact,  it  was  our 
understanding  that  the  FFMIA  submission  was  not  to  be  submitted  during  the  period 
Based  on  this’unde.standing,  DFAS  did  not  submit  any  information  for  the  FMFIA  ASA 
Section  4  However,  as  demonstrated  in  out  FY07  FMFIA  ASA  Section  4  report,  DFA 
has  developed  a  mote  systematic,  repeatable,  and  standard  method  for  collecting  and 
evaluating  system  compliance  across  the  enterprise  that  mitigates  future  issues 

We  recommend  that  additional  issues  related  to  FY05  and  FY06  FMFIA  ASA,  Section  4 
reporting  requirements  be  referred  to  the  OUSD  (C)  as  DFAS  was  in  compliance  with 
established  reporting  requirements  and  the  Department’s  intent  to  address  these  at  the 
Department  level 

Rrrnmniendation  B2:  Develop  a  remediation  plan  fot  identified  financial  management 
system  material  weaknesses.  If  the  DoD  Financial  Impr  ovement  and  Audit  Readiness 
Plan  is  used  as  the  remediation  plan,  ensure  that  DFAS  Kansas  City  remediation  actions 
are  included  in  the  plan. 

VI  iinagcnrentCommcnts :  Non-concut.  DFAS  does  not  have  a  requirement  to  develop 
a  remediation  plan  os  there  are  no  identified  financial  management  system  material 
weaknesses  requiting  such  a  plan 
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Finding  C.  FISMA  Reporting 

DFAS  headquarters  submitted  an  incomplete  FISMA  Report  Specifically,  DFAS 
Headquarters  did  not: 

•  use  a  complete  list  of  systems, 

•  request  network  and  training  information  from  all  DFAS  sites,  and 

•  maintain  supporting  documentation  for  the  information  submitted  in  the  FISMA 
Report 

Management  Comments  (DFAS-CIO):  Concur  in  part.  The  finding  addresses  the 
way  that  the  data  was  collected  and  reported  rather  than  what  is  contained  in  the  report 
The  10  report  questions  the  DFAS  methodology  for  collecting  data  to  be  repotted  rather 
than  the  data  itself. 

Use  a  complete  list  of  systems.  Nonconcur.  DFAS  has  always  had  a  complete  list  of 
major  systems  as  required  by  FISMA  and  DoD  guidelines  DFAS  collected  systems  and 
networ  k  related  information  from  System  and  Functional  Managers  rather  than  by  site 
In  FY05  when  the  audit  was  conducted,  the  systems  were  under  a  Business  Lines  chain  of 
command  rather  than  a  site  chain  of  command  The  Kansas  City  Site  Director  was  not 
responsible  for  providing  systems  documentation  for  FISMA  tepotting.  However,  KC 
systems  documentation  for  those  systems  supporting  the  MC  was  collected  from  the 
appropriate  system  management  (S.M)  staff  or  from  die  network  staff  as  appropriate  and 
included  in  the  Agency  FISMA  report  The  methodology  for  collecting  and  reporting  has 
been  and  is  consistent  All  SMs  and  functional  managers  used  the  DoD-prescribed 
reporting  guidelines  and  formats  and  the  data  was  validated  by  DFAS  HQ  In  FY06  and 
FY07  when  the  systems  were  moved  under  the  Director  for  Information  and  1  ecbnology 
(I&T),  tire  same  approach  was  used,  but  in  this  case  the  SMs  and  functional  managers 
were  under  the  Director,  I&T  chain  of  command  so  management  and  reporting  were 
more  efficient 

Request  network  and  training  information  from  all  DFAS  sites.  Non-concur.  DFAS 
did  not  use  the  Central  Site  Directors  to  collect  training  mformation,  rather  it  used  its 
network  of  trusted  site  lAMs  to  collect  and  report  1A  training  data  from  all  DFAS  sites 
This  is  the  same  group  that  is  responsible  for  PKI  and  other  security  issues  and  who  have 
been  responsible  for  ensuring  completion  oflA  training  to  the  DFAS  network.  As  a 
corollary,  the  DFAS  system  and  network  data  was  collected  from  SMs  and  Functional 
Managers  as  described  above  This  methodology  has  been  consistently  applied  and  is  the 
most  efficient  way  to  collect  data  The  same  methodology  and  approach  was  used  in 
FY06  and  again  in  F  Y07  The  major  difference  in  these  cases  was  that  the  systems  weie 
all  consolidated  under  the  Director,  Information  and  technology  in  FY06  so  the  repor  ting 
rhrrin  was  through  the  Director,  l&T  so  the  management  of  the  data  and  the  reporting 
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flowed  up  the  same  chain  instead  of  having  to  go  through  the  DFAS  Business  Lines. 

This  impioved  process  reviews  and  reporting  In  the  case  of  training  data,  this  is 
centrally  managed  and  reported  through  the  Director  I&T  In  F  Y06,  to  improve  data 
collection  and  reporting,  an  Agency  portal  project  was  established  as  a  repository  lor 
training  certificates  to  ensure  validation  of  training  in  advance  of  report  submission.  This 
was  improved  in  FY07  with  die  establishment  of  an  automated  link  between  the  IA 
training  and  the  Agency’s  Human  Resources  Training  History  file  which  is  bumped 
against  the  Agency’s  time  and  attendance  file  to  track  training  completion  for  all  civilian 
employees,  military  service  members  and  contractors 


DFAS  Headquarters  did  not  maintain  supporting  documentation  for  (he 
information  submitted  in  the  F1SMA  Report.  Non-concur.  In  FY05  as  documented 
above  DFAS  HQ  used  its  IAM  network  to  train  and  report  lesults  vice  Site  Directors  ot 
Business  Line  manageis  This  appioach  provided  an  efficient  means  of  delivering  the 
training  to  all  of  Business  Line  and  Oversight  organizations  operating  at  the  DCAi. 
locations  While  this  approach  was  operational  efficient,  the  reports  still  had  to  be 
consolidated  and  repotted  by  DFAS  Headquarters  This  has  since  been  streamlined  and 
strengthened  Beginning  in  FY06,  the  Agency  ttaining  was  provided  and  managed  _ 
centrally  as  part  of  the  Agency  SPIRIT  Tuning  and  the  certification  of  completion  is 
posted  to  the  HR  Ttaining  History  file  for  record.  While  this  history  is  retained  m  the 
personnel’s  training  history  and  is  not  overwritten  annually  with  the  completion  of  the 
next  year’s  training,  DFAS  non-concurs  with  the  requirement  to  retain  the  record  tor  a 
minimum  of  two  years  1A  Aw'ateness  Ttaining  is  an  annual  certification  and  all  civilian 
employees,  militaiy  service  members  and  eontiactors  arc  required  to  be  recertified  every 
year,  so  the  retention  of  the  record  longer  than  one  year  is  unnecessaty 

Recommendation  C:  We  recommend  DFAS  Headquarters  document  and  implement 
standard  operating  procedures  for  the  FISMA  reporting  process  These  standard 
operating  pioceduies  should  include  a  consistent  method  for  collecting  information  horn 
the  DFAS  sites  as  well  as  provide  a  specific  amount  of  time,  a  minimum  or  2  years,  tor 
maintaining  supporting  documentation 


Monovement  Comments;  Non-eoneur.  DFAS  uses  the  prescribed  DoD  policy  and 
procedures  and  only  augments  them  as  necessary  to  ensure  accurate  and  reliable 
reporting  To  that  end,  DFAS  has  standard  operating  procedure  to  ensure  compliance 
with  and  accurate  reporting  in  accordance  with  FISMA  policies  and  procedures  that  are^ 
in  compliance  with  statutory  and  regulatory  guidelines  As  a  matter  of  fact,  the  Agency  s 
revised  CIO  policies  published  in  FY07  mandate  compliance  with  F  ISMA,  FFMIA  and 
FMFIA  and  direct  that  all  DFAS  infommtion  systems  will  comply  with  established 
standaids 

As  an  independent  reference  point  DFAS  received  an  “A”  for  Certification  and 
Accreditations  (C&As)  and  Security  Metrics  in  a  Published  Brieting  Report  (FISMA 
Reporting  Metrics),  dated  1 8  Oct  2006  However,  we  arc  constantly  evaluating 
alternatives  to  improve  upon  our  existing  processes  and  procedures,  and  apply  any 
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lessons  learned  across  the  enteiprise  as  evidenced  by  our  improved  processes  for  systems 
assessments  and  the  management  and  collection  of  tiaining  certifications 

Summary: 

DFAS  Headquaiteis  does  not  agiee  with  the  DoDIG  findings  or  recommendations  The 
processes  in  place  did  provide  an  efficient  means  for  providing  training  and  =Qllecting 
information  to  ensute  accurate  repotting  for  compliance  with  the  2005  and  2006  FISi  1A 
requirements  DFAS  has  continually  strived  to  satisfy  statutoiy  and  regulatory 
requirements  and  to  improve  and  strengthen  every  aspect  of  the  Internal  Management 
Control  Program. 

The  DFAS  Point  of  Contact  for  Finding  A  is  Mark  Burnett,  DFAS-KC/JB;  (816)  926- 
1208;  and  DFAS  Point  of  Contact  foi  Findings  B  and  C  is  Notman  Noe,  DFAS- 
FN/EOT/YB/nTO;  (317)  510  5864 
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